IE9 UXSS: location.replace with javascript: URL Bypasses Protocol Safety

Calling location.replace() with a javascript: URL on a cross-origin IFrame executed the script in the IFrame’s security context. The replace method did not apply the same javascript: protocol block that guarded the location.href assignment path.

iFrame.location.replace(
    "javascript:alert(document.URL + '\\n\\n' + document.body.innerText)"
);

Setting iFrame.location.href = "javascript:..." was blocked by a cross-origin check. The replace method, which was supposed to be functionally equivalent for navigation purposes, lacked that check. The script ran in the IFrame’s context and had full access to its document, cookies, and DOM.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 InfoBar Overlay via createPopup] :: [IE9: Staying Resident and Capturing Keystrokes via Zombie IFrame and createPopup] >